RegistrationSchema = Dry::Schema.Params do
required(:email).filled(:string, format?: URI::MailTo::EMAIL_REGEXP)
required(:password).filled(:string, min_size?: 12)
optional(:marketing_opt_in).filled(:bool)
optional(:country).filled(:string, included_in?: %w[US CA GB AU])
end
cookies.encrypted[:trusted_device] = {
value: { user_id: current_user.id, fingerprint: device_fingerprint }.to_json,
expires: 30.days.from_now,
httponly: true,
secure: Rails.env.production?,
same_site: :strict,
class Rack::Attack
throttle('logins/ip', limit: 5, period: 20.seconds) do |request|
request.ip if request.path == '/users/sign_in' && request.post?
end
throttle('password_reset/email', limit: 3, period: 15.minutes) do |request|
auth:
- authentication required for non-public endpoints
- authorization rules documented and tested
data:
- secrets stored outside source control
- encryption in transit enabled